docs(container): warn about K8s init-container tag mismatch + RollingUpdate hazard on shared data volumes (refs #9940)#10014
Conversation
WalkthroughAdds a Kubernetes section describing safe sharing of /var/lib/pgadmin via init containers, requiring init/sidecar image tags not be newer than the main pgAdmin image and recommending ChangesKubernetes Data Volume Sharing Documentation
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…umes Refs pgadmin-org#9940. Issue pgadmin-org#9940 reported a SQLite "no such column: sharedserver.db_res" error on a Kubernetes deployment where the main pgAdmin container was pinned to 9.13 but an init container (running `setup.py load-servers` to import a servers.json) used the `pgadmin4:latest` image. The init container's migrations advanced the schema past 9.13's ORM expectations — specifically the `sharedserver_feature_parity_` migration (introduced in 9.15 via PR pgadmin-org#9835) drops the `db_res` column from `sharedserver`. This is a real hazard of pgAdmin's forward-only-with-destructive- operations migration model when combined with the K8s init-container pattern, but it wasn't documented anywhere. Operators hitting this have no guidance on how to avoid it. Add a short section to docs/en_US/container_deployment.rst: - The single rule: init container's image tag must NOT be newer than the main container's, when they share a data volume. - A concrete Helm-values example showing the pinned tags side by side, with an explicit "Do NOT use :latest" note. - A reminder that during upgrades, every reference to the image tag must move together. Pure docs-only change — no code touched. Reviewable on its own.
b02627c to
a3f998f
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/en_US/container_deployment.rst`:
- Around line 593-600: Update the examples so Helm-values keys are not mixed
with raw Deployment fields: either split the shown snippets into two labeled
blocks (one demonstrating Helm values using keys like image.registry,
image.repository, image.tag and strategy.type in values.yaml, and a separate raw
Deployment manifest showing image: docker.io/dpage/pgadmin4:9.14,
spec.strategy.type, and extraInitContainers), or replace the current examples
with Helm-values-native keys only (remove Deployment-style fields such as image:
docker.io/dpage/pgadmin4:9.14 and spec.strategy.type from the values example and
instead show image.registry/repository/tag and strategy.type). Ensure the same
change is applied to the other occurrence noted (the snippet around
spec.strategy.type).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 2f971ea4-af50-42de-b36b-fef4b8d523c1
📒 Files selected for processing (1)
docs/en_US/container_deployment.rst
…ngUpdate hazard on shared data volumes (#10014)
|
Merged to |
|
(∧ _ ∧) ✅ Action performedComments resolved. Approval is disabled; enable |
Add 14 release-note entries that were merged on master but not yet captured in the 9.16 notes: 1 new feature (#2431), 6 housekeeping (#9817, #9866, #9917, #9959, #10014, #10023) and 7 bug fixes (#9701, #9782, #9933, #9952, #9985, #10013, #10030). Entries inserted in numeric order within each section. Also add an "Additional changes (no associated issue) -> Dependencies" section mirroring the 9.15 format, listing net direct dep bumps between REL-9_15 and HEAD across Python (requirements.txt, tools/requirements.txt, web/regression/requirements.txt), web/ package.json, and runtime/package.json. Transitive yarn resolutions and the setuptools pin (covered by bug fix #9829) are excluded.
Refs #9940.
Why
Issue #9940 reported
(sqlite3.OperationalError) no such column: sharedserver.db_resfrom a Kubernetes pgAdmin deployment where the main container and an init container ran on different image tags but shared/var/lib/pgadmin. Root cause: PR #9835 (Apr 2026, ships in 9.15) added a migration that dropsdb_resfromsharedserver. When the init container ranpgadmin4:latest(had the drop migration) and the main container ran9.13(didn't), the init container advanced the schema past 9.13's ORM and the main container'sSELECT sharedserver.db_res …queries started failing.Discussion on the issue exposed a second, related hazard the operator hadn't asked about: even with both image tags pinned correctly, a K8s rolling upgrade across pgAdmin versions is unsafe when old and new pods share a data volume. During the
RollingUpdateoverlap window, the new pod migrates the schema while the old pod is still serving traffic — destructive migrations (column drops, table renames, etc.) immediately break the still-alive old pod's queries.Both hazards are real, both are operator-side configuration concerns, and neither is documented anywhere.
What this PR does
Adds a section to
docs/en_US/container_deployment.rst(after the existing Traefik section, at the end of the file) titled "Sharing the data volume across containers (Kubernetes init containers)", with two subsections:Init-container tag pinning — the rule: the init container's tag must not be newer than the main container's. Example: Helm values showing both pinned to the same version, with an explicit "Do NOT use
:latest" note. Why: pgAdmin migrations are forward-only with destructive operations.Use
strategy: Recreate, notRollingUpdate— the rule: deployment strategy must beRecreate. Why: the rolling-update overlap window between old and new pods sharing a data volume is unsafe with single-step destructive migrations (no expand-contract pattern); the only safe path is to kill the old pod before the new one migrates. Trade-off: a few seconds of downtime per upgrade, in exchange for not serving traffic from a pod whose ORM is misaligned with the database schema underneath it.What this PR doesn't do
This is a docs-only change — no code, no migration changes, no behavior change. The reporter on #9940 has a concrete workaround (pin the init container tag and switch to
Recreate); this PR ensures future operators don't hit either trap without warning.A longer-term, code-side improvement would be a startup-time
alembic_versionmismatch check: at pgAdmin main-container boot, refuse to start with a clear error if the DB has been migrated by a newer pgAdmin than the running code. That's its own design discussion and out of scope here.A still-longer-term option — adopting the expand-contract migration pattern so destructive operations span multiple releases and rolling upgrades become safe — would be a substantial design change to pgAdmin's migration policy, also out of scope.
Stats
Test plan
docutils.core.publish_doctreeparses without new warnings/errorsmake docs(Sphinx HTML build) and confirm both subsections render correctly indocs/en_US/_build/html/container_deployment.html.